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Abstract 

Bit commitment involves the submission of evidence from one party to another so 
that the evidence can be used to confirm a later revealed bit value by the first party, 
while the second party cannot determine the bit value from the evidence alone. It is 
widely believed that unconditionally secure quantum bit commitment is impossible due 
to quantum entanglement cheating, which is codified in a general impossibility theo- 
rem. In this paper, the scope of this general impossibility proof is analyzed, and gaps 
are found. Two variants of a bit commitment scheme utilizing anonymous quantum 
states and decoy states are presented. In the first variant, the exact verifying mea- 
surement is independent of the committed bit value, thus the second party can make 
it before the first party opens, making possible an unconditional security proof based 
on no-cloning. In the second variant, the impossibility proof fails because quantum 
entanglement purification of a mixed state does not render the protocol determinate. 
Whether impossibility holds in this or similar protocols is an open question, although 
preliminary results already show that the impossibility proof cannot work as it stands. 

PACS #: 03.67Dd, 03.65Bz 



Note: 

We have made a few clarifications and elaborations in this revision. 
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I Introduction 



Quantum cryptography |IJ, the study of information security systems involving quantum 
effects, has recently been associated almost exclusively with the cryptographic objective of 
key distribution. This is due primarily to the nearly universal acceptance of the general 
impossibility of secure quantum bit commitment (QBC), taken to be a consequence of the 
Einstein-Podolsky-Rosen (EPR) type entanglement cheating which rules out QBC and other 
quantum protocols that have been proposed for various other cryptographic objectives [[|. 
In a bit commitment scheme, one party, Adam, provides another party, Babe, with a piece 
of evidence that he has chosen a bit b (0 or 1) which is committed to her. Later, Adam 
would "open" the commitment: revealing the bit b to Babe and convincing her that it is 
indeed the committed bit with the evidence in her possession. The usual concrete example 
is for Adam to write down the bit on a piece of paper which is then locked in a safe to be 
given to Babe, while keeping for himself the safe key that can be presented later to open the 
commitment. The evidence should be binding, i.e., Adam should not be able to change it, 
and hence the bit, after it is given to Babe. It should also be concealing, i.e., Babe should 
not be able to tell from it what the bit b is. Otherwise, either Adam or Babe would be able 
to cheat successfully. 

In standard cryptography, secure bit commitment is to be achieved either through a 
trusted third party or by invoking an unproved assumption on the complexity of certain 
computational problem. By utilizing quantum effects, various QBC schemes not involving a 
third party have been proposed that were supposed to be unconditionally secure, in the sense 
that neither Adam nor Babe can cheat with any significant probability of success as a matter 
of physical laws. In 1995-1996, a general proof on the impossibility of unconditionally secure 
QBC and the insecurity of previously proposed protocols were described H-p]. Henceforth, 
it has been generally accepted that secure QBC and related objectives are impossible as a 
matter of principle pfl-PI)fl. 

There is basically just one impossibility proof, which gives the EPR attacks for the cases of 
equal and unequal density operators that Babe has for the two different bit values. The proof 
shows that if Babe's successful cheating probability is close to the value 1/2, which is 
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obtainable from pure guessing of the bit value, then Adam's successful cheating probability 
P C A is close to the perfect value 1. This result is stronger than the mere impossibility of 
unconditional security, namely that it is impossible to have both P C B ~ 1/2 and ~ 
0. Since there is no known characterization of all possible QBC protocols, logically there 
can really be no general impossibility proof even if it were indeed impossible to have an 
unconditionally secure QBC protocol. 

In this paper, the formulation within which the general impossibility proof was developed 
will be analyzed. The mechanism for the success of the impossibility proof within a limited 
scope will be delineated. It is shown that the use of classical randomness unknown to 
one of the two parties, common in many standard cryptographic protocols, is not properly 
accounted for in the previous impossibility proof formulation. In particular, the turning 
of classical randomness into quantum determinateners via quantum purification of a mixed 
quantum state does not render a quantum protocol determinate with no further role for 
classical randomness, as described in the impossibility proof. Specifically, a scheme utilizing 
anonymous states and decoy states will be presented, and the different ways in which the 
impossibility proof fails for these variants will be explicitly pinpointed. The results are 
developed within nonrelativistic quantum mechanics, unrelated to relativistic protocols |T| 



or cheat-sensitive protocols Hl2| . Since bit commitment leads to "coin-tossing" and other 



cryptographic protocols, our present results have immediate impact on many recent works 
on quantum coin-tossing and multiparty computation. 

To provide a foretaste of the failure of the impossibility proof, the following two points 
may be mentioned. First, the impossibility proof has no role for any possible classical 
randomness that Babe may introduce, which, even after quantum purification, would actually 
be explicitly used by her in her verification of the bit. If the use of such randomness by Babe is 
taken into account, it is not hard to see that the success of Adam's EPR cheat may depend on 
knowing the actual value of such random numbers. Secondly, there are concealing protocols 
for which Babe can make all the measurements for verification before Adam opens because 
the verifying measurement is independent of the bit value, with no consequent possibility that 
an information carrying state needs to be discarded due to measurement basis mismatch. 
This kind of protocol is one of several types outside the impossibility proof formulation. 



Indeed, a general formulation of all possible QBC protocols is not yet available that includes 
a proper expression of just the concealing condition, not to mention both concealing and 
binding with corresponding expressions for the cheating probabilities. 

In section II, the impossibility proof would be described and extended. The mechanism 
of its success within its limited scope will be highlighted. In section III, the use of anony- 
mous states in QBC will be developed, in which Babe uses classical random numbers in 
the most direct way in protocols involving two-way quantum communication. It is explicity 
demonstrated that the impossibility proof, specifically the use of the doctrine "Church of 
Larger Hilbert Space," fails to cover such situations in two different ways. In section IV, 
our basic scheme is introduced in a preliminary form which is not yet unconditionally se- 
cure but which already invalidates the impossibility proof. Two variants of the scheme are 
described. One of which, QBCp3m, allows Babe to make perfect verifying measurements 
before Adam opens. The reader is urged to first read Appendix D for a concise presentation 
of this basically rather simple protocol, as it confirms our statement above that there can be 
no general impossibility proof without a characterization of all possible QBC protocols. In 
section V, the protocol QBCp3m is extended to fully unconditionally secure ones together 
with their security proofs. Some general and practical observations are made in the last 
section VI. Note that the same index may denote different quantities in different sections, 
and the notation <g> is often omitted for brevity. 
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II The Impossibility Proof 

In this Section we review the standard formulation of the impossibility proof, present some 
pertinent new results, and explain the precise mechanism of the EPR cheating. 

According to the impossibility proof, Adam would generate |<3> ) or depending on b 
= or 1, 

l$o> = E s/Pi\ e i)\<f>i), (!) 

i 

= Y,M<M) ( 2 ) 

i 

where the states and in Ti B are openly known, i e {1, . . . , M}, {p^ and {p^} 

are known probabilities, while {|ej)} and {|e'j)} are two complete orthonormal sets in TC A . 
All Dirac kets are normalized in this paper. Adam sends Babe Ti B while keeping Ti A to 
himself. He opens by measuring the basis (|ej)} or {|e^)} in Ti A according to his committed 
state |$o) or resulting in a specific \<pi) or \<p' ^ on H B , and telling Babe which % he has 
obtained. Babe verifies by measuring the corresponding projector and will obtain the value 
1 (yes) with probability 1. In this formulation, Adam can switch between |$o) and |$i) by 
operation on 7i A alone, and thus alter the evidence to suit his choice of b before opening the 
commitment. In the case p B = tr^|$ )( < ^ ) o| = Pi = ^ t a\^i){^i\, the switching operation is 
to be obtained by using the so-called "Schmidt decomposition [13|," the expansion of |$o) 
and |$i) in terms of the eigenstates of p B = pf with eigenvalues and the eigenstates 
|efc) and \e' k ) of p A and p A , 



$o) = EAl^)W, l$i> = E y/^kWMk) (3) 



k k 

TA 



By applying a unitary U that brings {|efe)} to {|e' fc )}, Adam can select between |$ ) or 
any time before he opens the commitment but after he supposedly commits. When p B and 
pf are not equal but close, it was shown that one may transform |$o) by an U A to a |$o) 
with |($i|$o)| as close to 1 as p B is close to pf according to the fidelity F chosen, and thus 
the state |$o) would serve as the effective EPR cheat. 

In addition to the above quantitative relations, the gist of the impossibility proof is 
supposed to lie in its generality - that any QBC protocol could be fitted into its formulation, 
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as a consequence of various arguments advanced in ||-|]nj. Among other reasons, it appeared 
to the present author from his development of a new cryptographic tool, anonymous quantum 
key technique [JH], that the impossibility proof is not sufficiently general. Since there is no 
need for Adam to entangle anything in an honest protocol. Adam can just send Babe a 
state \<fii) with probability pi when he picks b=0. When he picks b=l, he sends |(//) with 
probability p[. If the anonymous key technique is employed, \4>i) and |$) are to be obtained 
from applying {7 i or Uu from some fixed openly known set of unitary operators {iToi} an d 
{Uii} on 7i B by Adam to the states sent to him by Babe and known only to her. As 
a consequence, Adam would not be able to determine the cheating unitary transformation 
U A . This use of anonymous states is not explicitly accounted for in the open literature, 
and the role of classical random numbers in the problem formulation is not clearly and 
fully laid out in the impossibility proof. However, it seems the prevailing opinion is that 
the impossibility proof covers classical randomness in essence, basically through the use of 
quantum purification of classical randomness @|, 0, ||15|| . This claim that the impossibility 
proof covers all classical randomness has never been explicitly demonstrated, and it is one 
major purpose of this paper to show that such a claim is erroneous. The gap in the reasoning, 
to be delineated in section III, is best appreciated after a careful quantitative development 
of the impossibility proof to be presently given. 

In a QBC protocol, the and {|$)} are chosen so that they are concealing as 

evidence, i.e. Babe cannot reliably distinguish them in optimum binary hypothesis testing 
T6fl . They would also be binding if Adam is honest and sends them as they are above, 



which he could not change after Babe receives them. Babe can always guess the bit with a 
probability of success Pf = 1/2, while Adam should not be able to change a committed bit 
at all. However, it is meaningful and common to grant unconditional security when the best 
P C B Babe can achieve is arbitrarily close to 1/2 and Adam's best probability of successfully 
changing a committed bit P A is arbitrarily close to zero even when both parties have perfect 
technology and unlimited resources including unlimited computational power ^J. 

The operation of unitary transformation with subsequent measurement of an orthonormal 
basis is equivalent to the mere measurement of another orthonormal basis {|ej)} on the 
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system. Thus, the net cheating operation can be described by writing 

i 

\ff>i\4>i) = y/PjVAfa) ( 5 ) 

3 

for a unitary matrix V defined by |e») = and then measuring |ej). For convenience, 

we may still in the rest of the paper refer to the cheating operation as a U A transformation 
described at the beginning of this Section, with | e^) = U A \e.i). From (5), the \<f>i) obtainable 
by operation on 7i A alone are some unitary linear combinations of the \<fii). The quantitative 
expression for P A can now be given. If Babe verifies the individual |$), the Adam's successful 
cheating probability is 

^ = £AK&l#)l a . (6) 

i 

When randomness from Babe is present, further averaging is needed to yield the final P A . 
The EPR cheating mechanism is clear from (5) — via entanglement and measurement of a 
different basis, Adam can generate unitary linear combinations of the committed states to 
approximate the states \<p'i)- The approximation is guaranteed to be good when the protocol 
is concealing, as follows. 

In general, the optimal cheating probability P C B for Babe is given by the probability of 
correct decision for optimally discriminating between two density operators p$ and pf by 
any quantum measurement. For equal a priori probabilities, 

^ = ^(2+||p B -pflli) (7) 



where || ■ ||i is the trace norm, ||r||i = tr(rV) 1 ' 2 , for a trace-class operator r [17 . In terms 



of a security parameter n that can be made arbitrarily large, the statement of unconditional 
security (US) can be quantitatively expressed as 

(US) limP c B = i and limPf = 0. (8) 

Condition (US) is equivalent to the statement that for any e > 0, there exists an hq such 
that for all n > n , Pf — \ < e and P A < e, i.e. P C B — | and P A can both be made 
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arbitrarily small for sufficiently large n. The impossibility proof claims more than the mere 
impossibility of (US), it asserts H the following statement (IP): 

(IP) Pf = i + oA ^P c A = i-0(k (9) 

Zi lb lb 

Condition (9) implies the following limiting statement 

(IP') UmP r B = - lim P A = 1. (10) 

that directly contradicts (8). One may regard (IP') as the general impossibility statement, 
independently of the specific convergence rate of (9). In the p$ = pf case, the EPR cheat 
shows that Pf = | implies Pf = 1. Thus (IP') generalizes it to the assertion that the 
function P c (P C B ), obtained by varying n, is continuous from above at P c s = |. Note the 
difference between the truth of (IP') and the weaker statement that (US) is impossible. In 
the middle ground that lim n P c B = | implies just < lim n P^ < 1, the protocol would 
be concealing for Babe and quantitatively cheat-sensitive for Adam. However, it may be 
expected that if P A is not close to 1, it may be made close to in an extension protocol 
which thus becomes unconditionally secure. 

The cheating transformation for the p$ ^ pf case is determined from ref. according 



to the impossibility proof [3]- [4], which would proceed as follows. Let |A$) and \pi) be the 
eigenstates of p$ and pf with eigenvalues Aj and p^. The Schmidt normal forms of the 
purifications |$o) and |<3>i) of p$ and pf are given by 



l$o) = £V A ^>i A *>> ( n ) 

i 

|$i) = EV^Ift)k> (12) 



for complete orthonormal sets {\fi}} and {|<7i)} on Ti A . Define the unitary operators U , U\ 
and U2 by 

(13) 
(14) 
(15) 



U \\i) = 




Ux\Xi) = 




U 2 \pi) = 


\9i)- 
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Let U be the unitary operator for the polar decomposition of y Poy pf , 

U. (16) 



'Po^J Pi 



'Poy Pi 



Then |($ |$i)| assumes its maximum value F(pf, pf ), F(p , pi) = try \/poPiy/po, when 

UUfUoUZU? = I (17) 

where T denotes the transpose operation. Thus, when pf, pf, and | e^) are given, \g^) = |e£) 
of |$i) is determined from (12) via solving for U2 from (17). In general, these £/'s are 
isometries, but the above relations still hold. 

The above formulation (11)-(17), utilizing Jozsa's proof [18] of Uhlmann's theorem, covers 



both the pf = pf case and the U = I (i.e., |$o) = l^i)) situation as special cases. 
Apparently form these equations, knowledge of the eigenstates of p$ and pf is required to 
find the cheating transformation U A that brings | e^) to |ej). Actually, both (11)-(17) and 
the Schmitt decomposition obscure the underlying mechanism of the EPR cheating given by 
(5). In the present context, they suggest that knowledge of the pf eigenstates is needed to 
determine U A , which is actually much simpler determined by the following 

Theorem 2: 

The U A that maximizes |($o|$i)|, defined through the matrix U, Uij = (ei\U A \ej), is 



determined by 



AU=|A| (U 



where 



Aq^y/ifaWM, |A| = (AAt)l (19) 
When pi = p'i, the corresponding 

p c a = J2(\Mu) 2 (20) 



which satisfies 



p2 <pA <p (21) 



10 



The lower bound in (21) is valid also for pi ^ p\. 

Theorem 2 is proved in Appendix A. Note that in terms of the V in (5), U = V T . The 
bounds (21) simply characterize P C A in terms of F, and yield > F 2 for the actual optimal 
probability P C A that maximizes (6). This lower bound yields the usual impossibility proof 
or (IP) of (9) when combined with the lower bound on || • ||i in terms of F |19|]. When A is 
invertible, U = A _1 |A| from (18). In general, one does not need to compute the eigenstates 
of pf to find U A , which is determined through A that is given directly in terms of the known 
states and probabilities. 
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The Impossibility Proof and Anonymous States 



The use of anonymous states by Babe as briefly described in the last section is just one 
obvious way to introduce classical randomness for her in a QBC protocol, which appears 
to thwart Adam's EPR cheating by denying him the knowledge to find the proper cheating 
transformation. The ways in which the impossibility proof fails in this situation are detailed 
in this section. 

In general, such use of anonymous states by Babe can be described as follows. She sends 
Adam a state G 7i known only to herself. Depending on b = or 1, Adam applied 
to a unitary operator Uu, i G {1; . . . , M} with probabilities Pi or p\. In the notation of 
section II, 

= U 0i \^), |#) = U u \^) (22) 

Adam sends the modulated state back to Babe, and opens by revealing b and i. He can form 
the entangled |$o) by applying the unitary operator Uq on 7i A £g> H B , 

U = Yl\ e i)( e i\® U °i ( 23 ) 

i 

with initial state \A) G 7i satisfying (e,|v4) = ^fpl. It appears from Theorem 2 above that 
the cheating transformation U A as determined by (<f>i\<j>j) = (iplUliUojltp) would depend on 

in general, thus cannot be found by Adam. The impossibility proof handles this situation 
rather explicitly in ||, |J, [|l(J, and []15] , in the following way. 

The state \ip) is supposed to be picked by Babe from a set {iV'fe}}) k e {1> • • • > L} with 
probabilities that are all openly known. The associated classical randomness is then 
purified by having Babe generate the entangled state 

l*> = £V^*hM/*>. ( 24 ) 

k 

where the |/fc)'s are complete orthonormal in 7i c , send 7i B to Adam while keeping 7i c to 
herself. At the end of the commitment phase she would measure {\fk)} to pin down a 
specific \ipk)- The proof, however, is not carried to the end, and the above description is 
considered sufficient to ensure that the impossibility proof works in the presence of classical 
randomness introduced by Babe — from quantum entanglement purification of a mixed state 
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and postponement of all measurements to end of commitment, the classical randomness is 
rendered quantum-mechanically determinate and everything is known to Adam again for 
him to find the cheating transformation U A . While Babe may not actually form \^f), the 
so-called "Church of Larger Hilbert Space" doctrine [^DJ is used to justify the equivalence. In 
the following, it will be shown that the equivalence does not hold when Babe does something 
else to cheat, and that theimpossibility proof does not go through even when Babe actually 
forms and postpone her measurement on 7i c until after Adam opens. 

To spell out the impossibility proof argument, one actually needs to show that U A is 
independent of {\fk)} in 7i c and Adam only needs 7i B , not the full |\&) of (24), to form 
his entanglement. These turn out to be true as a consequence of (18) in Theorem 2 above. 
However, it is against common probabilistic intuition that randomness would altogether 
disappear (to Adam) upon a quantum interpretation. There is no reason why Babe has to 
generate (24) instead of any specific \ipk)- More generally, to form Babe can choose any 
probability distribution on {IV'fc)}, not the {A&} that Adam believes. It is not a meaningful 
formulation to assume that Adam knows {A^}. Thus, one cannot eliminate via quantum 
purification what is nonrandom to Babe (upon her choice or measurement) and random 
to Adam [|2T|. Indeed, Babe can generate any state G T~C B , or any entangled state 
|$) G 7i B ®7i c for any 7i c that she keeps to herself. A careful formulation for the concealing 
condition needs to be developed. 

To show the inadequacy of the formulation of the impossibility proof, assume that pf (*) 
and pf (\E0 are indeed close from the use of (22) and (24) with Afc = 1/L for L large. Let \ipi) 
be such that p B (ipi) and pf (tpi) are f ar apart, being possible even though p B (^) and pf (^) 
are close because 1/L is small. Then Babe can cheat by using Ai = 1 instead of A^ = 1/L. 
To ensure a concealing protocol, one must impose the uniformity condition 

pUfflMtfW, W> G 7i B , (25) 

or, more generally, 

p BC (^) » pf C W, V$GH B ® H c (26) 

for any 7i Babe can use to entangle, with w being taken in the sense of trace norm from (7). 
Such a concealing condition has not been given in the literature, but it is needed whenever 
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a state is passed from Babe to Adam in a proper formulation of the problem. From the 
condition p^ c *(\E') pf c (\l/) for a fixed one may at best conclude that (ip k ) pf(fpk) 
for those where 96 0. Thus, the impossibility proof errs in asserting that Adam can 
cheat under the above condition — he cannot, and Babe can instead. In Appendix B, an 
example is given in which p^ c (\l/) = pf c (\l/) for a given ^, but Adam cannot cheat even 
when no is small. 

Assuming that condition (25) is satisfied, let us examine how Adam's EPR cheating 
works. If one follows the impossibility proof, it would work if Babe verifies on the state 
of (24), i.e., depending on b = or 1 she checks whether becomes 




k 



for the i opened by Adam. However, that is not the way she verifies according to the 
protocol. She would make a preliminary measurement of {|/fc)} first with result j and then 
check whether the state is Uu\ipj)- She can in fact postpone her measurement on H c until 
after Adam opens. The important point is that she is going to make a measurement and use 
the result in the verification. While such measurement does not allow her to cheat any better, 
it may help defeat Adam's EPR cheating. In the impossibility proof there is no role given 
to any classical randomness other than {p^} and {p'^} — it is implicitly assumed that Babe's 
random number known only to herself is not used in her verification as just described. Such 
lack of utilization of possible classical randomness represents a huge gap in the impossibility 
proof, making it severely limited in scope and incorrect as a general proof. The doctrine 
of the "Church of Larger Hilbert Space" is irrelevant to the protocol behavior as it should 
be; it would not make the protocol determinate. It is clear that classical random numbers 
can be generated by both Adam and Babe in a general quantum protocol, which are kept 
secret from the other party and used in an essential way as in many standard cryptographic 
protocols. The impossibility proof does not begin to incorporate such possibilities. 

We examine more exactly how the impossibility proof fails in the present situation. The 
cheating transformation U A is taken to be the one that maximizes |(<I>i|{7 A |<l>o)|, not the 
one that maximizes P C A of (6). However, in addition to the lower bound in (21) that applies 
also to P A , in general U A is determined by the inner product matrix {4 > 'i\4'j)i apart from the 
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a priori probabilities. Any such cheating U is thus determined via J2k ^fc(V^l^ii^ojlV'fc) = ^ij 
for \^>), but via (tpklUliUojlipk) = for each \ipk)- There is no reason to expect that the U 
as determined by iiij would be close to the U determined by ufj, whatever the A^'s are. 

Actually, one does not need to transform among the maximizing U in order for impos- 
sibility to hold. The general problem can be cast as follows. From (22) and (5), we have 
dependence of the committed and cheating states on the anonymous state to be simply 
denoted by (pi(ip), </>i{if>), and for notational simplicity dropping the Dirac kets, as 

already done occasionally above. In the present formulation with only anonymous states 
from Babe in the form (22), all of Adam's possible attacks are described by local measure- 
ments and announcing a different b. For this attack to succeed with P C A ~ 1 given |$ ) is 
committed, one presumably wants 

toWJM, ^en B (28) 

or 

<&(tf ) « V*GH B ® H c (29) 

for some fixed U A or V independent of ip, the ~ in (28)-(29) taken in the sense of state inner 
product. Condition (28) expresses the requirement that as the anonymous state changes, 
the approximate state 4>i(ip) must follow the b = 1 states (p'i{ip). Strictly, the condition is 
only that there exists a V such that the P C A (ip) given by (6) satisfies 

P C A (V>) ~ 1 , Vy> G 7i B (30) 

where the -^-dependence enters through 4>i(ijj) and 0^(V ; )- The problem of impossibility (IP') 
becomes whether (30) holds when (25) is satisfied. A similar condition is obtained for \1/ 
that includes Babe's possible entanglement of the anonymous state in 7i B . 

In the case of perfect security, the above use of anonymous states cannot prevent the 
success of EPR attacks due to 



Theorem 3 22 



The condition 



PoW = P?W > V^H B (31) 
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implies, for every i, 

to) = #(V0 > Vfetf (32) 



The proof is simple — by writing out (31) in terms of Uu-, it follows from theorem 8.2 of 
23| on the freedom of CP-map decomposition that 



PiUu = E y/PMiUQi (33) 
j 

for a unitary matrix V. This operator relation guarantees that the state relation (32) is 
satisfied for all 

When (31) is satisfied and (18) is used to compute the cheating U A {jp) according to 
Theorem 2, it is found to be independent of and is given by the V of (33) due to the fact 
that the matrix (4>i\4>j) becomes V multiplied by the inner product matrix (</>j|0j) which is 
nonnegative. Indeed, the V in (33) is also determined by following the usual impossibility 
proof for any if). (Note that the Schmidt decomposition plays no role in the proofs of theorems 
2 and 3 and in the results used in their proofs. Indeed, Jozsa's proof of Ulhmann's theorem 
]18| , which involves the Schmidt decomposition, can also be simplified along the line in the 



in 



proof of Theorem 2 in Appendix A.) Theorem 3 is significant in that it shows it is operator, 
not state, entanglement that is needed in the presence of state randomness. 
Under the condition 

Po°W = Pi°m (34) 
for one fixed \§>) of the form (24), one obtains similar to the proof of Theorem 3 that 

PoW=P?W W> e span{|^>}. (35) 

Equation (35) implies, in particular, that p^iipk) = pf (^fc) for each \ip k ) and a fixed cheating 
transformation is available as above. The restriction on the validity of (35), and hence the 
possibility of Adam's successful cheating, to states in the subspace spanned by {|^fc)} is 
indispensable as shown in the example of Appendix B. We can summarize our two major 
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criticisms of the impossibility proof. First and foremost, it is not properly formulated so 
that under (34) or 

Po BC W « Pi C m (36) 

for one fixed |\&) of (24), it may be Babe but not Adam who can cheat, either because she 
may sent £ span{|*0 fe )}, or there is a \ k for which p% (t/j k ) 96 pf(tp k ). Secondly, even 
assuming is formed by Babe, there is no proof that there is any cheating transformation 
that would work for all \ip k )- 

Another way to formulate the problem at hand is to use CP-map or superoperator to 
characterize the transition from ip to pf , similar to the proof of Theorem 3. If two general CP- 
maps between operators on Tii and Ti.2 are approximately equal in the sense of (25) with ip e 
Hi, the question is what approximate relation would obtain between the positive operators 
in their respective decompositions. This question is a complicated one for application to 
our present problem, partly because when e = \\po(tp) — pf (VOIIi gets small, the security 
parameter n grows unbounded and the resulting H B and pf change profoundly. An infinite- 
dimensional nonseparable Hilbert space formulation of the problem appears necessary at 
the beginning. Until the question is settled in favor of impossibility, there is no general 
impossibility proof for protocols employing anonymous states even just in the simple fashion 
of (22). 

The QBC formulation in this section, while more general than that of the impossibility 
proof which is a proper formulation only if the randomness in the protocol are all in (l)-(2), is 
still quite limited in scope. Indeed, the protocols of the following sections IV and V already do 
not fit into the present framework exactly. There are many other ways to introduce classical 
randomness in a protocol. Even though they can be represented quantum-mechanically, once 
measurements are made to pin them down they would function just as in a classical protocol, 
manifesting in the different ways the measurement results can be utilized. Just in the case of 
classical protocols, it does not appear possible to characterize all QBC protocols to a useful 
extent that something general can be said about the corresponding cheating probabilities. 
We will present elsewhere a general formulation of the QBC problem. It will be evident that 
the situation is far more intricate than the impossibility proof formulation (l)-(2). 
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IV Bit Commitment Scheme that Contradicts the 
Impossibility Proof 



In this section, a protocol will be given that contradicts the quantitative claim of the im- 
possibility proof, (IP) of (9) or (IP') of (8), without yet being unconditionally secure in the 
sense (US) of (8). Its extensions to unconditionally secure protocols will be given in the 
next section V. An intuitive description on how the QBC scheme may be developed is first 
provided to explain the underlying logic. 

According to the impossibility proof formulation, there is a state |$b) of (1) - (2) shared 
by Adam and Babe. The most general attack by Adam after |$ ) is committed is to apply 
a local U A on 7i A and then make a measurement on H A , or just to make a measurement on 
H A as in (4)- (5), and opens b = 1. It is evident, from the way states in H B can be affected 
this way as given by (5), that if M — 1 in (1) Adam cannot affect p$ = \(/>){<j>\ in VP at all. 
Unconditional security is impossible in this case because Pf ~ \ implies ~ 1 an d 

thus P C A ~ 1 by simply announcing b = 1. If one lets 7^ 1 then Babe can cheat by 

measurement and the protocol is not concealing. Our protocols are to be developed form 
the following sequence of steps in general. To be specific, qubits will be used in this section. 

To begin, let |0) and \<p') corresponding to b = 0, 1 be orthogonal so that Adam cannot 
cheat. To defeat Babe's cheating, Adam may send to Babe the information qubit among 
many random decoy states, named for example by their temporal order, and announce the 
information qubit position when he opens. To prevent Adam from the obvious cheating of 
sending in both \(f>) and \<p') and opening accordingly, an anonymous state \ip) is first sent by 
Babe, with Adam generating |0) = U \^>), \4>') = Ui\^) for U = I, Lq, = R(9, C) a rotation 
by an angle 6 on some great circle C on the qubit Bloch-Poincare sphere. The rotation can 
be applied by Adam without knowing \ip) assuming, as usual, that the orientations of all 
the qubit Bloch spheres are known to both Adam and Babe. Thus, (<j)\<j)') = for E C 
and 9 = ir. It can be intuitively expected that Babe cannot then determine b with Pf ~ | 
in the presence of sufficiently many decoy states. It should also be clear that Babe cannot 
improve his Pf by entanglement to \ip), because she already chooses a \ip) that allows her 
to make perfect discrimination if she knows which qubit is the one she sent, and so she has 
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no need to change when she tries to cheat. 

How about Adam's new possibilities of cheating at this stage? In all uses of anonymous 
states, the other party can always try to determine the state by measurement on the single 
copy. It is characteristics of quantum physics that the state cannot be determined and cannot 
be cloned p4|-||251 arbitrarily accurately, if it is drawn from a nonorthogonal set of states. 
However, Adam has a significant probability of success in such attempts, thereby such single 
use of qubit cannot yield an unconditionally secure protocol — P C B ~ | and P C A 7^ 1 but not 
P C A ~ 0. More precisely, with n being the number of decoys states plus one would have 

limPf = ~, 0<limP c A <l (37) 

The protocol is thus concealing and quantitatively cheat-sensitive for Adam. If Adam indeed 
cannot do better than cloning, the impossibility proof is contradicted with (37) and thus is 
incorrect as a general proof. 

A way to achieve (37), which has important practical significance, is for Babe to make 
verifying measurements on all the qubits before Adam opens. She would choose the basis 
corresponding to P(vr, C)\ip)} for all n qubits. Babe can evidently check whether Adam 
opens correctly in a perfect fashion when he identifies the qubit. It is intuitively clear, and 
will be explicitly proved below, that the protocol is concealing. By entangling to the qubit 
in state in the form 

A ?7o|^>|eo> + Ai?7i|V>|ei> (38) 

Adam can find out Babe's measurement result but he cannot change it for cheating, as 
a matter of course — whatever operations and measurements he performs cannot affect the 
result Babe already obtained. A precise treatment of the above protocol QBCp3m, a pre- 
liminary (not yet unconditionally secure) protocol with Babe's measurement before opening, 
is detailed presently, to be followed by the security proof. 
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PROTOCOL QBCp3m 

(i) Babe sends Adam a state \ip) known only to herself, randomly picked from a fixed 
known great circle C on the Bloch sphere of the qubit 7i B ■ 

(ii) Adam modulates \ip) by U — I or U\ = R(tt,C), rotation of \ip) to its orthogonal 
state on C, for b = or b = 1. He then picks n — 1 qubits with states independently and 
randomly chosen among all possible ones, and places the modulated qubit TC B randomly 
among them. He sends the n resulting qubits to Babe, each named by its position in the 
qubit sequence from 1 to n. 

(iii) Babe measures R(n, C)\ip)} on each qubit. Adam opens by revealing the posi- 
tion of TC B and the bit value. Babe verifies by checking her measurement result on H B . 

We first show that this QBCp3m is concealing. For each possible ith position for H B in 
the qubit sequence sent back by Adam, the state is of the form, in H B , 

\4*) W) •■■\<j> n ) {3Q) 

where each \4>j),j G {1, • • • , n} and j ^ i, is, say, one of the four BB84 states on C randomly 
and independently chosen. The index "i" underneath the state U\,\ip) in (39) indicates that 
it occupies the ith position. Thus, the state to Babe is of the form, in H B 

p£ = i£i®...®<Tb®...®§, (40) 

i i 

with o"b = UhcrUl when Babe send a state a to Adam without entanglement. Note that it is 
sufficiently for Adam to choose among two orthogonal states instead of all possible ones for 
each qubit, and for Babe to choose among four BB84 states instead of all in a great circle. 
While it should be clear that Babe gains nothing with entanglement, that situation will be 
dealt with later. From (40), one can evaluate P B straightforwardly since p B — pf is diagonal 
in the product basis that diagonalized <jq — o\ on each qubit. Let n = 2£ + 1 and A + < 1 be 
the positive eigenvalue of cfq — a\, it is shown in Appendix C that 



20 



The optimal probability (41) is obtained with A + = 1 when the above product basis is 
measured and b is set to be or 1 according to a majority rote on the positive and negative 
outcomes corresponding to the eigenvectors |A + ) and |A_). From the standard bounds on 
binomial coefficients, 

\ < p c - \ < A= ( 42 ) 

AVI c 2 2v^ 

The optimal strategy is thus still concealing with lim„ P C B = |, but it is better than guessing 
at the qubit sent and then measure and decide on it alone, which yields Pf = |(1 + 1/n). 

To show that entanglement does not change the above situation in the simplest possible 
way, we would merely give a detailed proof that concealing is not affected by Babe's entan- 
glement. When she entangles li.2 to a H c she would attach H c to one of the qubits sent 
back by Adam. The resulting density operator is the same independently of which particular 
qubit position she attaches TC C to, from symmetry. From the triangle inequality for trace 
norm [18], the distance between the resulting is bounded by 

n\\p^-pf ||i < 2+||p*-pf Id (43) 

where the term 2 is the maximum possible [23, App A] distance || p — Pi II i f° r an Y states 
Po and pi, corresponding to the case where 7i c is attached correctly to Ti^ ■ The p^ are 
the same as (40) because the mismatched Hp state does not affect the trace distance as a 
consequence of 

|| (p-p') ®<J HHI P-P' ||i (44) 

Equation (44) follows immediately from evaluating the left-hand side in the diagonal repre- 
sentation of (p — p') ®<7. Thus, the protocol is still concealing from (42) and (43). Actually, 
it can be shown that the optimal Pf of (41) without entanglement remains optimal with en- 
tanglement. Note that our proof shows that the protocol is concealing for any G 7if even 
though we may impose restriction on in the binding proof or for ease of implementation. 

Since Babe's verifying measurement can be perfectly made before Adam opens, a "no- 
clone" argument can be developed for binding. Adam cannot find out what measurement 
basis, not to mention |*0), Babe used by entangling the qubits to H A — the state on H A 
is obtained by tracing over 7i B and is independent, not only of but of the specific 
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measurement basis Babe uses (or no measurement from her at all). Thus, he can gain no 
information from Babe's measurement to help him cheat in any way. One way for Adam to 
cheat is by cloning, as it is the same whether one wants to get or U\ip)} for a 

known U. The optimal cloning performance is a fixed number p^ < 1 independent of n. The 
optimal one-to-two clone has been worked out for a variety of criteria and state sets. In the 
present situation, the state set is C or the four BB84 states. If the cloning is described by 
\ip) ~~ > iV'ob) over two qubits with marginal states p a and p^, the criterion here corresponds 
to 

F c = \WM*> + \{^\Ulp h U x \^) av (45) 

with average over a uniform distribution on the state set from which \ip) is drawn. It seems 
that the existing results [26]- [27] almost cover this case exactly [p8 |. Now, it appears that 
Adam cannot do better than this optimum by any action because if he could, he should 
have succeeded in cloning better than the optimal doner, a contradiction, according to 
the following reasoning. He would have, by an objective physical procedure, succeeded in 
producing clones among n qubits, where he could identify which ones are the clones. If Babe 
did not measure first, this would not be surprising because the two copies are obtained on 
two different conditional (upon Adam's measurement result) states for Babe. The fact that 
Adam can identify both means that he could not just spread n — 1 qubit states uniformly 
on C, one of which would be close to U\ip), but he wouldn't be able to tell which one. 
That he is not able to identify both simulatneously does not alter the fact he has cloned. 
Alternatively consider the following situation with the cloning of one copy of ® \ip) into 
{|-0) g) (gi for a criterion as (41), with optimum pa < 1. If Babe gets identical 

measurement results on two sets of n qubits sent back to her by Adam, each obtained by the 
same procedure as above, Adam would have succeeded in cloning <g> \ip) by carrying out 
the two different identification procedures on the two n-qubit sets and applying the results to 
both sets. To ensure that Babe could have the identical measurement results almost surely, 
consider the following Gedankenexperiment. Babe sends a large number N of identical states 
l^) to Adam, who carries out the same objective physical preparation (cheating) procedure 
on her iV n-qubit sets. Babe performs her measurement on each and every set, obtaining, 



22 



with probability exponentially close to 1, pairs of identical results that total N' sets with 
N'/N close to 1 for sufficiently large N. Adam would then have, via the above separate 
identification procedure on each pair, succeeded in cloning in almost all of the original iV 
sets. Both the above single-set argument and the present N-set argument are valid, but a 
complete formalization of the arguments will be given elsewhere. 

Note that, in this protocol, Adam cannot cheat any better by generating decoy states 
other than J/2. Thus we have covered all possible actions by Adam and Babe, and can 
summarize the above results as 

Theorem 4: 

In protocol QBCp3m, Babe's optimal cheating probability can be made arbitrarily close 
to \ for large number of qubits n, while Adam's optimal cheating probability remains fixed 
and not arbitrarily close to 1. 

What would happen to Adam's EPR attack in the above scheme if Babe performs her 
verifying measurement after he opens? One may have the protocol "QBC3" in reference p9[ 
in which Babe disregards the n — 1 qubits not first sent by her. It is simpler to consider 
the following variant more in line with the impossibility proof formulation. Let G S — 
{|1), |2), |3), |4)} where |1) and |2) are the vertical and horizontal states on C, and |3) and 
1 4) are the two orthogonal diagonal ones, so together they make up the four standard BB84 
states on C . Consider the case where each of the other n — 1 qubits sent by Adam has to 
be in S' = {|1), |2)}. Adam modulates by Ub and opens by identifying the TL B position 
and the states of all the qubits. Babe verifies by performing the corresponding projection 
measurements. Let \ip) be purified as 

1 4 

7 E \Z)\h) (46) 
4 i= 1 

for \£) G S C TC B and orthonormal|/^) G Ti c '. Let U±j,j G {2, • • • , n} be the unitary operator 
that swaps qubit position 1 and j on 7i B = 7i^®" =2 7i2- On Tt A ® 7i B , Adam can form the 
entanglement by employing orthonormal | e^) G Ti. , i G {1, ••-,n • 4 n_1 }, with uniform or 
whatever probabilities, using Uij and S'. In analogy with QBCp3m, we have a preliminary 
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protocol QBC p3u which is close to a usual one in which Adam can launch EPR attacks. 

PROTOCOL QBCp3u 

(i) Babe sends Adam a state known only to herself, randomly picked form the four 
BB84 states on a fixed great circle C of the qubit Ti^ • 

(ii) Adam modulates by U — I or U\ = R(tt, C) for b = or 1. He then picks n — 1 
qubits with states independently and randomly from two orthogonal states known to Babe, 
places the modulated qubit 7if randomly among them, and sends the n qubits to Babe in 
a named order. 

(iii) Adam opens by revealing the state of all the qubits and identifying ■ Babe verifies 
by checking the corresponding projections. 

This protocol is concealing exactly as in QBCp3m. As shown in section III, the impossiblity 
proof does not cover this protocol. Indeed, assuming Adam opens perfectly for b = as in 
the impossibility proof, it can be shown that he cannot then cheat with P C A ~ 1. The basic 
reason is that he can only identify correctly on the decoy states, for arbitrary by not 
involving \ip) in the entanglement of the decoy states. However, he cannot then rotate 
to its orthogonal complement on C. The full security proof covering the situation in which 
Adam does not open perfectly is being developed. 
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V Unconditionally Secure Bit Commitment Schemes 

The QBC protocol in the previous section that invalidates the impossibility proof can be 
extended to fully unconditionally secure protocols as described in the following. This may be 
expected because if Adam cannot cheat nearly perfectly on one qubit, his cheating probability 
can be brought exponentially close to zero in a sequence of independent qubits. To extend 
the above protocols in this manner, first consider the case where Ti B in QBCp3m is replaced 
by H B = ®^ =1 Ti-2k- Let Babe send Adam a sequence of m qubits 

|^> = Hj 1 ) (g, ... (g) |^') • • • <g> \iJ m ), j e {1, • • • , m} (47) 

Each \^y>) is randomly and independently chosen from the same fixed great circle C for all 
the m qubits, and named by its sequence position j within H B . Adam applies Uf, to each 
of these qubits and then randomly places 7Y B among a sequence of iV — 1 quantum spaces 
Tif ', each a product of m qubits, with states on all the m(N — 1) qubits randomly and 
independent chosen from a fixed great circle C. The total sequence or product state 

\Xi)~-\Xi)-"\XN), ee{i,---,N} (48) 

is re-named by the new position I and sent back to Babe. Apart from the modulated state 
in 7i B , each of the other N — 1 \xe) in Tif is a product of m qubit states. Each of the 
N state spaces would be referred to as a qumode. Similar to (35), Adam knows, but Babe 
does not, which \xe) is the modulated and he opens by giving Babe this information, 
but he does not know what the |^ J ')'s are. Before Adam opens, Babe measures on every 
qumode the product qubit basis given by {{ip^), R(n,C) across the m qubits, which 

diagonalizes p B — pf . She optimally decides on b by the majority of the two patterns of \ip^) 
and R(n,C) j^- 7 ), the other patterns occurring with equal probability. 

To prove concealing, the following argument is used in lieu of evaluating directly the 
trace distance. For any fixed m, let N be chosen large enough that the number of times 
a particular pattern of \^) in (47) shows up in Babe's measurement on a random qumode 
is at least (N - 1) (2~ m - 5) for a small 5 > 0, where (N - l)2- m is the average. This is 
possible with a probability exponentially close to 1 from the Chernov bound. The situation 
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then becomes the same as the qubit case of section IV, with n replaced by N (2~ m — 5) 
for the upper bound in (42), which can then be set to any desired small level by further 
increasing N. Babe's possible entanglement can be handled as in (43). Thus, the protocol 
is concealing. Adam's optimal cheating probability is given by P C A = p™, which fixes m for 
given P C A < e. We summarize the results. 

PROTOCOL QBC3ml 

(i) Babe sends Adam a product state (47), each \ipi) named by its position and indepen- 
dently and randomly chosen from a BB84 state set S in C. 

(i) Adam modulates each and all \tpi) by U — I or U\ = R(tt,C), then independently 
and randomly place the exact sequence among N — 1 qumodes, each a product of m qubits 
randomly distributed on S. He sends the N qumodes to Babe in a named order. 

(iii) Babe measures the m {\vjj j ),R (n, C) on each of the N qumodes. Adam opens 
by announcing which qumode is the modulated \ip) and the bit value. Babe verifies by 
checking her measurement result. 

Theorem 5: 

Protocol QBC3ml is unconditionally secure. 

Variations of the protocol can be easily created without affecting the unconditional secu- 
rity. For example, consider the case where Babe sends (47) to Adam which he returns in m 
segments of N qubits each, the j'th one containing exactly one from (47). Babe can then 
make a uniform measurement on each iV-sequence, deciding whether each such iV-sequence 
corresponds to a or 1 by a majority vote, and the overall b by a majority vote on the m 
outcomes. 

To show that such a protocol is concealing, one may first take care of Babe's entanglement 
possibility to H c by, similar to (43), 

II P B - Pi lli< [l-p(N,m)] ■ 2+p(N,m)- || - pf \\ ± (49) 

where p(N, m) — (1 — j^) m is the probability that none of the m attached entangled qubits in 
7i c matches the actual qubit position, which can be made arbitrarily close to 1 for any fixed 
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m by making N large. Then one argues that independent qubit probability distributions are 
obtained because for optimal Pf Babe should not entangle across the qubits in (47) as that 
would create additional randomness for the individual qubit measurements she would make, 
the latter needed since she has a vanishingly small probability to locate her own qubits. 
(Indeed, there is no point for her to correlate the in the first place, as an involved 
classical probabilistic argument would show.) From the independence of \xe) and the \ip^) 
positions in the m iV-sequences, the optimal decision Babe can make is to decide on or 1 on 
each of the iV-sequences as the m = 1 case, and then take a majority vote to decide on b. Let 
p be the probability of Babe's correct decision in each iV-sequence. Then p is given by (41) 
and bounded as in (42) with n replaced by N. The overall Pf = Ei=o 1)/2 ( fc)P*(l ~ P) m ~ k 
can be made, for any fixed m, arbitrarily close to 1/2 by making p arbitrarily close to 1/2, 
i.e., with N sufficiently large, because this Pf is a continuous function of p. The value of m 
is determined from p™ < e from cloning. With Pf — \ < e, the unconditional security proof 
is completed for the following 

PROTOCOL QBC3m2 

(i) Babe sends Adam a sequence of m qubits, each \ipi) named by its position and 
independently and randomly chosen from a great circle C. 

(ii) Adam modulates each and all \^) by Uq — I and U\ = R(ir,C), then places each 
U\j\^) independently and randomly among the jth of m succeeding iV-sequences of qubits, 
the states of all the other qubits independently and randomly chosen. He sends the n = mN 
succeeding qubits with their position names to Babe. 

(iii) Babe measures {\ipi) , R{it,C)\ip^)} on the iV qubits of the jth sequence for all j. 
Adam opens by revealing the positions of U^\^) and the bit valve. Babe verifies by checking 
her measurement results on these qubits. 

Theorem 6: 

Protocol QBC3m2 is unconditionally secure. 

Protocols QBC3ul and QBC3u2 can be introduced similar to the last section. They are 
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omitted here since their full security proofs are not yet available. 
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VI Conclusion 



In this paper we have explicitly detailed two major ways in which the QBC impossibility proof 
fails as a general proof. There are two corresponding significant general issues concerning 
the impossibility proof. One is that classical randomness and the corresponding information 
flow between the two parties may play a significant role in a general protocol. Such a 
role has not been completely characterized for the classical case, and cannot be simply 
eliminated by quantum purification. This points to the more general, second issue: how 
one can characterize all possible QBC protocols at all when one has not been able to do 
that for any type of classical cryptographic protocols. In particular, there are many possible 
protocols with random numbers generated by Adam and Babe during various stages of 
a protocol, necessitating uniformity conditions similar to (25) that would intertwine in a 
complicated classical way that is not resolved by quantum purification. As things stand, it 
is even open whether a perfectly secure QBC protocol is possible, given the limited scope of 
Theorem 3. 

In any event, it is possible to have unconditionally secure quantum bit commitments, as 
protocols QBC3ml and QBC3m2 demonstrate. Equally significantly, these protocols can be 
carried out without any quantum memory to be used between commitment and opening. 
In applications to key management or identification/authentication, such required quantum 
memory would be very long on microscopic scale, at least for network type situations. It is 
unrealistic to expect that such quantum memory would become available in any reasonable 
amount of time. Thus, these protocols represent a major step in advancing the possible prac- 
tical use of quantum bit commitment. Moreover, each qubit in the protocol can be replaced 
by a full optical field mode and qubit state by large-energy coherent state, without affecting 
the essential underlying operations, thus making the protocol even easier to implement. A 
full description of such protocols and quantitative tradeoffs between security and complexity 
will be given in a future paper. 
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Appendix A 

Proof of Theorem 2 

By choosing je^) = je^) in (l)-(2), one obtains 

|($i|f/ A |$o)| = \trVA\ (Al) 

The maximum of |trUA| over all unitary U is attained when UA is nonnegative definite with 
maximum value given by tr\A\ [17, p. 43]. Thus U is determined by the polar decomposition 
(generalization to infinite dimensional space can be obtained via maximal partial isometry) 
of A = |A|Ut. 

With pi = p'i,Pc is given by (20) and is thus bounded above by J2i \Mu which is just 
tr\A\ = F. For a set of probabilities cej and complex numbers Aj, one has 

E«W 2 > IE«^I 2 (A2) 

i i 

as a consequence of Jensen's inequality and the concavity of the function x i— > x 2 . The lower 
bound of (21) follows from (A2) with ai = pi and Aj = Jpi/Pi{<f>i\<t>' i ), valid for pi ^ p\. 
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Appendix B 

Example on Proper Concealing 

In the notations of sections II-III, the following example shows that for (24), even with 
no small the condition (34) does not imply that Adam can cheat as claimed by the 
impossibility proof. 

Consider 2-qubit H B = H 2 ® U 2 and \^>) EH B ®H C given by 

l*> = ^(l«>k>l/i> + l«»l/2» (Bl) 

where \a) and \a') are two openly known orthogonal states in Ti, 2 , and are orthonormal 
in Hp , which is also a qubit. The operations are taken to be p± = p[ = p 2 = p' 2 = §, U i = I, 
Uq 2 = P the permutation operator switching the two qubit positions in H B , U\\ — R a 
rotation that brings \a) to \a!) and \a!) to \a), U\ 2 = RP. It follows easily that, after 
entanglement by Adam, p BC (^>) = pf c (ty) and he can cheat perfectly when Babe forms 
(Bl). 

However, it is Babe who can actually cheat perfectly in this situation. Instead of sending 
(Bl) she can send \a)\a) E H B instead, which would defeat Adam's cheating and allows 
herself to cheat. The underlying reason is, of course, that (31) or (25) is not satisfied, and 
\a)\a) E~ span{]a)|a'), |a')|a)}, violating the condition required for (34)-(35). Clearly, there is 
no reason why Babe wants to be honest so Adam can cheat. Thus, the impossibility proof 
formulation, which does not have a condition such as (36), is not a meaningful one in the 
presence of random numbers, with consequent incorrect claim on same situation. 
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Appendix C 

Evaluation of Trace Distance 

One straightforward way to evaluate \\pq — pf ||i for p h of (40) is to directly compute the 
trace norm in the product basis spanned by {|A+), |A— )} for each qubit. Let k be the number 
of | A— ) in a product-basis vector. One has, from a direct counting calculation, 




(CI) 



The binomial sum in (CI) can be evaluated in closed form. With n — 2£ + 1, 




(C2) 



Equation (41) follows from (C1)-(C2). 
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Appendix D 

Simple Summary of Protocols QBCp3m, etc. 

The statement, underlying logic, and security of protocol QBCp3m can be simply presented 
as follows. The detailed proofs are given in the paper. 

Let Babe send Adam a qubit in state \ip) known only to herself, \ip) £ C C 7if in a fixed 
great circle C of the qubit Bloch sphere. Depending on b = or 1, Adam leaves it alone or 
rotates it to its orthogonal state \ip'), then sends it back to Babe among a number n— 1 of 
random decoy qubit states. Independently of b, Babe can make the same qubit measurement 
of the basis on every of the n qubits before Adam opens. The protocol is still 

concealing with Pf — > | as n — > oo, because she does not know which qubit is the one 
she sent. It is clear that Babe cannot determine b any better by sending £ C or by 
entangling \ip). Because Adam cannot gain any information on Babe's measurement basis 
via entanglement, his optimal cheating probability P C A is given by an appropriate one-to-two 
clone fidelity pa, which is independent of n and not arbitrarily close to 1. As he has to open 
and 1 on two different qubits given Babe already measures, the optimality of pa would be 
contradicted if he can do any better. Thus far, the quantitative claim of the impossibility 
proof, (IP) of (9) or (IP') of (10), has been invalidated by the above protocol QBCp3m. 
More significantly, it shows that the impossibility proof formulation misses a whole class 
of protocols in which Babe can make the verifying measurement independently of b before 
Adam opens. 

It is straightforward to extend QBCp3m to unconditionally secure protocols, such as 
QBC3ml and QBC3m2, by having Babe send Adam a sequence of m independent 's 
with p r 1 set to any arbitrarily small value e. Adam sends back each of the m uniformly 
modulated qubits in different restricted ways among n qubits. Babe makes the corresponding 
measurements before Adam opens. The resulting protocols are concealing with n sufficiently 
large for any fixed m, which is determined by Adams optimal cheating probability P^ = p™, 
and are thus fully unconditionally secure in the sense (US) of (8). 
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